Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2016-5007 Spring Security / MVC Path Matching Inconsistency #49

Open
php-coder opened this issue Jul 11, 2016 · 5 comments
Open

CVE-2016-5007 Spring Security / MVC Path Matching Inconsistency #49

php-coder opened this issue Jul 11, 2016 · 5 comments

Comments

@php-coder
Copy link

More info:
@cplvic
Copy link
Contributor

cplvic commented Feb 15, 2017
edited
Loading

Hey @jasinner
I can do the pull request but this issue affects 2 packages, Spring Framework and Spring Security (distinct artifact IDs)/ How do I create the relevant yaml file?

nevermind - I found an example :D

@cplvic
Copy link
Contributor

cplvic commented Feb 27, 2017

Pull Request #71

@cplvic
Copy link
Contributor

cplvic commented Feb 27, 2017

Dumb question, If I wanted to indicated the affected version is anything under 4.0.x
what is the syntax ?

would it be

">=4.0.0.Final,4.0"

?

@jasinner
Copy link
Member

Hi @cplvic,
For anything under 4.0.0.Final you should just use >=4.0.0.Final. The YAML file seems incorrect, as you haven't specified the appropriate ranges ie.:

<=3.2.10.RELEASE,3.2
<=4.0.4.RELEASE,4.0

and

<=3.2.18.RELEASE,3.2
<=4.0.9.RELEASE,4.0
<=4.1.9.RELEASE,4.1
<=4.2.9.RELEASE,4.2

Regards

@cplvic
Copy link
Contributor

cplvic commented Feb 28, 2017

so then are my previous submissions that were committed correct?
9878.yaml, 9879.yaml, 4970.yaml because i haven't specified ranges in those either. Take a look and let me know.
What I will do is cancel this pull request (71) and do an bigger update to correct everything in one pass.

cplvic added a commit to cplvic/victims-cve-db that referenced this issue Mar 13, 2017
@cplvic
Modified 2016-4970. - Unaffected version for netty uses different pom.
8f229ff 
Modified 2016-9878, 2016-9879 - Per Jassiner, added series information
Added 2016-5007 - Spring Security + Framework for issue victims#49
Added 2017 folder
Added 2017-5638 for Apache Stuts2 0-Day
@cplvic cplvic mentioned this issue Mar 13, 2017
Closed
cplvic added a commit to cplvic/victims-cve-db that referenced this issue Mar 13, 2017
@cplvic
Modified 2016-4970. - Unaffected version for netty uses different pom.
1f8fa95 
Modified 2016-9878, 2016-9879 - Per Jassiner, added series information
Added 2016-5007 - Spring Security + Framework for issue victims#49
Added 2017 folder
Added 2017-5638 for Apache Stuts2 0-Day
@cplvic cplvic mentioned this issue Mar 13, 2017
Closed
cplvic added a commit to cplvic/victims-cve-db that referenced this issue Mar 13, 2017
@cplvic
Modified 2016-4970 - Unaffected version for netty uses different pom.
14405b2 
Modified 2016-9878, 2016-9879 - Per Jassiner, added series information
Added 2016-5007 - Spring Security + Framework for issue victims#49
Added 2017 folder
Added 2017-5638 for Apache Stuts2 0-Day
@cplvic cplvic mentioned this issue Mar 13, 2017
Merged
cplvic added a commit to cplvic/victims-cve-db that referenced this issue Mar 14, 2017
@cplvic
Modified 2016-4970 - Unaffected version for netty uses different pom.
beb010c 
Modified 2016-9878, 2016-9879 - Per Jassiner, added series information
Added 2016-5007 - Spring Security + Framework for issue victims#49
Added 2017 folder
Added 2017-5638 for Apache Stuts2 0-Day
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@php-coder @jasinner @cplvic